Digital Forensics In 
Real World 


Aung Zaw Bsides Myanmar 


The main goal of digital forensics is to answer 
the big five W’s, regarding any digital incident. 


Y What 
¥ Where 
Y When 
Y Who 
VY How 


The fundamentals of most common 
digital investigations, which include: 


¢ Digital Evidence 


¢ Digital Forensics 
Tools 


¢ Scientific Method 


In any crime investigation, the 
foundation is the evidence; for 
instance, a fingerprint in a homicide 
case. 

In the digital world 


Evidence Is defined as any digital 
information that is stored, 
transmitted or produced from 
Electronic devices and/or 
software. 


Examples of digital evidence 


e Pictures produced by cameras 
¢ Print logs saved on printers 


¢ Temporary files produced by a web 
browse 


¢ Downloaded files 
e Email messages 
e Deleted files 

¢ Log Files 


Tools have an important role in the 
forensic investigation process. 

But, Digital Forensics isn’t about just 
using tools. An investigator is 
expected to have a deep 
understanding for the underlying 
technology he/she Is dealing with. 


There are different types of DF tools 
available for you to use: 


> Commercial Products 
> Open source 
> Your own 


You need to choose the best tool 
for your investigation 


Digital Forensics Life Cycle 


Acquisition 


Acquisition is the process of obtaining a 
forensic sound image (physically or 
remotely) of the evidence to be analyzed. 


Evidence acquisition is important because 
the validity of other steps depends on the 
validity of this phase, which means that 
evidence collection done incorrectly or 
illegally will result in evidence being 
unacceptable in other steps 


Acquisition steps should be done 
carefully because any wrong action will 
ruin the evidence and could lead to 
completely different results. 


For example, if the investigator 
opens the file (just for reading), this 
action will isha ai siiaciaaiais property 
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the last ac Serr she file. 


Opens with: {jj Word 


C:\Users\aungz\Desktop 


Size: 982 KB (1,005,716 bytes) 


Size on disk: 984 KB (1,007,616 bytes) 
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Also, the first responder might need to 
create a live image of the RAM, 
because this may help to determine 
what exactly was the last thing that 
the suspect did or what happened last 
on his/ner computer. 
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Analysis 


The most important thing to consider 
IS preserving the original evidence 
without alteration, which is why it’s 
very important that before starting 
your analysis, you should create a 
forensic image of the evidence 
and perform your analysis on this 
Image (sometimes it is_ not 
possible). 
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La} thirdeye- FTK 7.6.rar existing 

L) ubuntu-22,04-live-server-amd64.iso existing 

_) unetbootin-windows-702.exe existing 
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_}vmk key.evk existing 

_] VMK-KEYS.evk existing 

_]VMware-Workstation-16.2.4-Pro.rar —_ existing 

_)w.evk existing 

L) XAMN Launcher.exe existing 
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rat 0.6 KB 20-09-22 23:21:04 - 20-09-22 23:18:06 ~ 27-10-2. 
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Presentation 


The last investigation phase is presentation, where 
you should provide: 


¢ A report of your analysis results, by mentioning the 
artifacts you found. 


e Steps you followed to reveal these artifacts 
e The tools used for your analysis. 


Depending on your experience, you should provide a 
reasonable explanation for these artifacts and how it will 
help in the current investigation 


Hidden data types encompass the 
following 


¢ Metadata 
¢ Residual data 
¢ Replicant data 


Metadata 


e Defined as “data about data”, which is used 
to provide context or additional information 
about data and files, such as date of file 
creation, or information about the file 
structure. 


e Metadata is considered one of the most 
valuable pieces of evidence as it contains a lot 
of information about a file such as the name of 
the file owner, and file last access and 
modification time. MAC Time. 


You could benefit from metadata 
information in your analysis to prove 
that a document was created on 
the suspect device If they were 


not altered *. ~~. 


Aung Zaw Myo 
www forensicsmyanmar.com 


Comments 
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‘ision number 
jon number 
Microsoft Office Word 


1/3/2023 4:31 PM 
1/7/2023 2:21 PM 
1/7/2023 11:59 AM 
11:19:00 


EXIF Data 


Exchangeable Image File Format 
(EXIF) is a standard that defines 
Specific information related to an 
image or other media captured by a 
digital camera. It is capable of storing 
such important data as camera 
exposure, date/time the image was 
captured, and even GPS location. 
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Residual data 


e This is deleted data on the disk. 


e An important issue to know is that 
even after data deletion occurs the 
data “might” still be there, but you 
just cannot see it, for example the 
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Why did we say “might?” Because if the storage 
location was overwritten with new data 
(example: a new file), it will be hard to reach 
back to the old data that used to be there. 


With that said, it is not hard to retrieve residual 
data, all you need is the right tool. It is important 
for you to understand how to deal with this type 
of data because deleting files is the first thing 
any suspect might do; after all, he/she wants to 
hide his incriminating actions, right? 


Replicant data 


This type of data is generated when a 
program like word processor creates a 
temporary copy of an opened file, this 
is needed as a backup to avoid data 
loss in case an error occurs and the file 
is forced to close without saving the 
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JTEAG 


Joint Test Action Group (JTAG) 
method. The JTAG method involves 
connecting to Test Access Ports (TAPs) 
on a device and forcing the processor 
to transfer the raw data stored on 
the memory chip. The JTAG method 
is generally used with devices that are 
operational but inaccessible using 
Standard tools. 
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— Some phone allow JTAG 

JTAG Boxes are generally created by hackers 
Can not always be trusted 

JTAG can be time consuming 


Read rate of chip maybe slow 


Chip Off 


Chip-off Chip-off refers to the acquisition of data directly 
from the memory chip present in the device. At this level, 
the chip ts physically removed from the device and a chip 
reader or a second phone is used to extract data stored 
on it. This method is more technically challenging, as a 
wide variety of chip types are used in mobiles. The process 
iS expensive and requires hardwarelevel knowledge as it 
involves the desoldering and heating of the memory chip. 
Training is required to successfully perform a_chip-off 
extraction. Improper procedures may damage the memory 
chip and render all data unsalvageable. When possible, it 
is recommended that the other levels of extraction are 
attempted prior to chip-off 


Some phone allow JTAG 

JTAG Boxes are generally created by hackers 
Can not always be trusted 

JTAG can be time consuming 


Read rate of chip maybe slow 
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%& AUTO DETECTION TIPS 


Android devices 

1. Enable developer options (tap Build Number 7 times) 

2. Enable USB debugging 

3. Enable stay awake (if available) 

4. Set USB connection to enable file transfers (MTP/Media) 


iOS devices 
1. Disable auto-lock 
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@ Advanced ADB 


Android Debug Bridge (ADB) is a built-in communication mechanism that 
allows device debugging. 

With this extraction method, it is possible to perform a physical or file 
system extraction, provided that the device's USB Debugging option is 
enabled. 

UFED will attempt to temporarily gain the permissions required for the 
extraction. 

It will work with any Android device with a security patch level up to (not 
including) November 2016. 

On some devices, the extraction may perform faster than other extraction 
methods. 

With this extraction method, the Android source device will independently 
continue the extraction directly to the user-selected target: USB mass 
storage device (via OTG cable) or SD memory card. 
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Status: ACTIVE 


Type: Local Dongle 
Expires: 7/31/2024 


Last Accessed 


Type 


File: D:\DVR_Examiner Sample_80GB_H264_GMT_8e1... 


Filesystem Name: blue_dc 

Filesystem Version: 2.2.1 

Video Format: H.264 

Output Formats: Proprietary Video, Open Video 
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(None) 
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Details 
Name: DVR_Examiner_Sample_80GB_H264_GMT_8e16634f 
Type: Scan 
Status: 
Started: 2023-04-22 20:33:31 
Completed: 2023-04-22 20:33:43 
Source(s): DVWR_Examiner_Sample_80GB_H264_GMT_8e16634f 
Filte: None 
ClipCount 4 
Inaccessible: Yes 
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CaseSummary ClipList PreviewClip:1.3 X 


Device: (None) 
Source: DVR_ExaminerSample_80GB_H264_GMT_8e16634f 
Native Resolution: 928 x 480 
Size: 56.25 MB 
Start Date/Time: 2014-01-01 04:49:56 
End Date/Time: 2014-01-01 05:00:00 
Video Format: H.264 
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